Webcam spying gets more attention

Dave Farquhar security , ,

So, apparently Miss Teen USA’s computer got infected with a webcam-spying remote access trojan. So someone got some sneaky pictures of her, and tried to blackmail her. Fortunately, instead, she decided to talk about it.

This is good. The majority of people don’t take computer security seriously enough. This could get some people talking, finally.

Unfortunately, the one effective technique against something like this–application whitelisting–isn’t available for the home versions of Windows. Most people think of application whitelisting is a corporate thing, but a signature-based whitelist would keep this kind of software from running on a home PC, which is the target for webcam snooping. Home users need it too. And unfortunately, it’s the people who are most likely to buy the cheaper home version who need it the most. Are you listening, Microsoft?

In the meantime, keep a piece of tape on your webcams, I guess.

But maybe now that Miss Teen USA is running around the talk show circuit talking about this stuff, people will start thinking that maybe, just maybe, bad stuff doesn’t always just happen to other people’s computers. Because it doesn’t.

As a security professional, I’m glad for anything that raises awareness. Because security awareness is one of the DSD Top 35 migitations–it’s #20. And of the 35, it’s the hardest to buy.

And if you’re not scared enough yet, it’s possible to do webcam spying not only with a laptop, but also with a smart TV. It’s a little harder with smart TVs because they’re all a little different, but nobody thinks about their smart TV, and the manufacturers rarely, if ever update them to fix security bugs. Fortunately, TV hacking is, as far as we know, more in the realm of theory right now than active exploitation, but it’s only a matter of time before that changes. The time to pressure manufacturers–or just stop buying smart TVs–is now.

When a photocopy isn’t

Dave Farquhar Uncategorized

Thanks to Dan Bowman for reminding me of this: Due to a bug in the compression engine in some Xerox photocopiers, copies aren’t necessarily identical from generation to generation. For example, it’s very easy for a “6” to become an “8.” Not good.

There was a Dilbert cartoon where the pointy-haired boss, to Wally’s chagrin, proofread photocopies. Suddenly that joke doesn’t seem quite so funny.

As cheap as storage is, I have a hard time understanding why copiers use lossy compression. There are good lossless compression algorithms out there that ensure each copy will be as close to identical as the scanning hardware permits. And I understand the desirability of image enhancement technology–it would make fuzzy documents easier to read–but such a feature should be optional, so as to avoid situations like this.

If you use Xerox equipment, be sure to bug your rep for a fix. Early and often.

I’m glad Ryne Sandberg is getting a chance

Dave Farquhar Baseball , , , ,

I grew up admiring Ryne Sandberg. He was a hard-hitting, smooth-fielding second baseman, and while his hitting statistics look a little wimpy compared to the steroids era, in the 1980s the sight of him in the on-deck circle struck fear in the hearts of opposing pitchers. He went on to be inducted into the Hall of Fame, and I’m glad to have had the chance to watch him play. I watched him a lot, because all the Cubs games were on WGN, which was available nationally.

Now Sandberg is the new manager of the Phillies. As a Kansas City Royals fan–bear with me–I have a special perspective on this.

Read more

Goodbye Amazon Affiliates, hello Viglink

Dave Farquhar Uncategorized , , , , , , , ,

I’ve been an Amazon affiliate for more than a decade, which meant that if I mentioned a product, posted a link to Amazon and someone clicked the link and bought it, I got a little bit of money. It didn’t make me rich, but in a good year, I made a couple hundred dollars, which paid for the upkeep of the site.

Well, Amazon and the state of Missouri are fighting, so Amazon is discontinuing the affiliate program for Missouri residents. The loss won’t break me, but by the same token, it’s nice to have that money coming in to pay for things like equipment upgrades. I found Viglink, and I’m going to give that a try.

Read more

Bad news about smartphones, but maybe not all bad

Dave Farquhar security ,

When you install Java on a Windows box, it brags that it runs on 3 billion devices. It’s not joking. A fair chunk of those 3 billion devices are the SIM cards that register your cell phone on its network. And those SIM cards frequently are woefully insecure. The mid-90s called, and they want their crypto back.

Via a text message you’ll never see, it’s possible to hack the 56-bit DES encryption used by many cards, or the triple-DES-in-name-only crypto used in others–repeating wimpy 56-bit crypto with the same key three times doesn’t make it any less wimpy–then send the cards a malicious Java applet, which busts out of the security on the ancient version of Java on your card, and ride this cascade of security flaws to do lots of nasty things like listen in on phone calls and intercept text messages.

Even if half of Americans don’t seem to mind the NSA listening to their phone calls, I’m pretty sure a majority of Americans don’t want the Russian Mafia listening to them. Read more

The Sero 7 tablets got cheaper last week and I missed it

Dave Farquhar Android ,

Amid competition from newer, faster tablets like the 2013 model Nexus 7, Hisense cut the price of its low-cost 7-inch Android tablets. The low-end Sero 7 now costs $79, and while the reviews on that tablet aren’t all that great, it’s much better than last year’s $79 tablet. The Sero 7 Pro, which I own, now costs $129.

They’re imperfect tablets–the Sero 7 Pro, even with its recent update, still crashes from time to time when I use a keyboard with it–but they were fine for the money at their old prices, and at their new prices, it’s hard to go wrong. I expect that eventually they’ll attract enough third-party development that there will be ROMs available to address their shortcomings.

No, using an emergency fund to pay off credit card debt isn’t a good idea

Dave Farquhar Saving money

It seems like I’ve been finding a lot of financial questions online lately. I guess that’s good–it means people are thinking. The best question I’ve found this week is whether you should use your emergency fund to pay off credit card debt.

Mathematically, it makes sense to do so. But one thing I remember hearing time and time again as we were paying off massive quantities of debt was not to empty bank accounts in order to do it. The reason for it was simple: Life is unpredictable. Read more

Watch your embedded security

Dave Farquhar security

If there’s a theme I’ve heard over and over again this year, it’s that it’s time to pay attention to security in embedded devices like routers, other network equipment, televisions, and the other devices around us. This is the soft underbelly, and frankly, it’s probably a time bomb.

The astonishing thing is that we’re now protecting our computers with devices that have bigger security holes than our computers do. Read more